Iniciar sesión
Documentación NoKycVPS — guías KVM, NVMe, SSH, IPMI, despliegue offshore
Documentation · everything we know, written down

How to deploy. How to operate. How to leave.

The complete docs — every API endpoint, every supported image, every error code. No marketing, no condescension. If something is missing, it's a bug.

Five minutes · first server

Quick start

  1. 01

    Create an account

    Email and password. No phone, no ID. Persistent 30-day sessions, revocable from settings.

    Go to sign-up →
  2. 02

    Top up your balance

    Send any supported coin to the one-time address. We credit USD-reference at the rate when funds confirm.

    Top-up flow →
  3. 03

    Deploy your first server

    Pick a plan, a region, an OS image, paste an SSH key. Provisioning takes 30–90 seconds.

    Open the configurator →
  4. 04

    Connect via SSH

    Key-based only by default. Paste the IPv4 from the dashboard, log in as root, change what you need.

    SSH details →
Twelve categories · one page

Find what you need

Or just scroll. The full docs are on this page.

Getting started

Account, top-up, first deploy.

Account

Sign-up, sessions, 2FA, deletion.

Billing

Crypto deposits, balance, ledger.

Server lifecycle

Deploy, reboot, rebuild, rescue, destroy.

SSH & access

Keys, agents, multiplexing, rescue.

Networking

IPv4/v6, rDNS, firewall, DDoS.

Operating systems

Image catalogue, custom ISOs, cloud-init.

API reference

REST endpoints, auth, examples.

Security & privacy

Encryption, canary, Tor mirror, 2FA.

Tutorials

WireGuard, Tor hidden service, Caddy, more.

Troubleshooting

Common errors, network diag, recovery.

FAQ

The questions everyone asks.
01 · Getting started

Getting started

The shortest possible path from nothing to a server you can SSH into is four steps. None of them require talking to a human. None of them require an identity document.

  1. Create an account. Email and password. The email is for breach notifications and warrant-canary alerts only — we never use it for marketing.
  2. Top up your balance. We do not store payment methods. You send any supported cryptocurrency to a one-time address; we credit your account balance in USD-reference once the deposit is confirmed.
  3. Deploy a server. Pick a plan, a region, an OS image, paste an SSH public key. Provisioning takes 30–90 seconds.
  4. Connect. SSH to the IPv4 the dashboard shows you. Log in as root on the SSH key you uploaded.
02 · Account

Account

Sign-up

Email + password. The password is hashed with bcrypt (cost factor 12). The email is normalised to lowercase, hashed for lookup, and never stored next to plaintext. We do not check the email is "real" beyond a basic syntax pass — you are free to use any address you control.

Sessions

Logging in creates a 30-day rolling session bound to a per-device secret stored in a HttpOnly, Secure, SameSite=Lax cookie. Each browser is a separate session; you can list and revoke them from Account → Security.

Two-factor authentication

Two options:

  • TOTP — RFC 6238, 30-second window, SHA-1 (compatible with every authenticator app). Recovery codes are generated once at setup and shown only that one time.
  • WebAuthn (FIDO2) — hardware keys, platform authenticators (Touch ID, Windows Hello). Multiple keys can be registered.

When 2FA is enabled it is required for: login, password change, API-token creation, and account deletion. It is not required for deploying servers from an active session — that would be the wrong place to slow you down.

Account deletion

Deletion is self-service from Account → Security → Delete account. The flow:

  1. All servers are destroyed (irreversible, no grace period).
  2. Remaining balance is forfeited (we have no way to send it back — crypto refunds require an address you've authenticated, which would itself be a KYC step).
  3. The account row is replaced with a tombstone (id + deletion timestamp). Email hash, password hash, sessions, tokens, SSH keys: gone.
  4. Billing ledger entries are retained for 13 months for fraud reconciliation, with no PII attached.
03 · Billing & balance

Billing & balance

Top-up flow

From Account → Billing → Top up:

  1. Pick a coin and an amount (USD-reference).
  2. We generate a one-time receive address and lock the rate for 30 minutes.
  3. You send funds. We watch for the required confirmations (see table below).
  4. Once confirmed, your account balance is credited at the locked rate. Any surplus is credited at the spot rate at confirmation time.

Supported coins & confirmations

CoinMin depositConfirmationsTypical wait
Bitcoin (BTC)$102~20 min
Monero (XMR)$510~20 min
Litecoin (LTC)$56~15 min
Ethereum (ETH)$1530~6 min
USDT · TRC-20$1020~1 min
USDC · ERC-20$1530~6 min
Bitcoin Lightning$1n/a (off-chain)seconds

Daily-charge model

You are charged once per UTC day for the prorated daily cost of every running server you own. The charge happens at 00:00:01 UTC against your balance.

  • If you have enough balance, the charge succeeds silently.
  • If you don't, you receive a warning email and the server is marked suspended. It stops billing and stops accepting traffic.
  • You have 7 days to top up. After 7 days the server is destroyed, its IPs released, and its disk wiped.

Ledger

Every line item is in Account → Billing → Ledger: top-ups, daily charges per server, SLA credits if applicable. Each row has a stable id you can reference. Exportable as CSV.

04 · Server lifecycle

Server lifecycle

Deploy

From Configure on any plan, or via the API. A new server moves through these states:

  • provisioning — we are allocating the VM. 30–90 seconds.
  • installing — OS image is being written and cloud-init is running. 30–120 seconds.
  • running — server is up; SSH is reachable.
  • stopped — gracefully shut down. No CPU/RAM bill while stopped, but the disk and IP are still allocated and billed.
  • suspended — balance went negative. Server is off and not reachable. 7-day grace period before destruction.

Reboot & rebuild

Two operations, often confused:

  • Reboot sends an ACPI shutdown signal to the guest, waits 30 s, then powers it back on. Disk contents are preserved. Add ?hard=true on the API call (or the "Hard reset" toggle in the UI) to skip the ACPI step.
  • Rebuild reinstalls the OS image from scratch. All disk data is destroyed. Cloud-init runs again. This is what you do when you want a fresh start without re-creating the server (keeps the same IPv4 and IPv6).

Rescue mode

Rescue mode boots the server from a small Alpine-based ISO into a 4 GB tmpfs. Your disks are unmounted and visible at /dev/vda, /dev/vdb, etc. Use it to:

  • Recover a system you've locked yourself out of (forgotten root password, broken sudo, etc.).
  • Unlock a LUKS-encrypted root volume manually.
  • Run fsck against a broken filesystem.
  • Image-dump a disk you're about to destroy.

Exit rescue mode by issuing a Reboot. The next boot picks the normal disk again.

Destroy

Destruction is irreversible. The disk is overwritten with zeros, the IPv4 returns to the pool after 24 hours of cooldown (to prevent immediate reuse of an address you may have published in DNS), and the IPv6 /64 returns to the pool immediately. The server's billing entry is closed at the timestamp of destruction.

05 · SSH & access

SSH & access

Every server is provisioned with key-based SSH only. Password authentication is disabled in the default sshd_config we ship; you are free to re-enable it, but we strongly recommend you don't.

SSH keys

Add keys at Account → SSH keys, paste any OpenSSH-format public key. We accept:

  • ssh-ed25519recommended. Short, fast, modern.
  • ssh-rsa — 3072 bits or more. (Anything smaller is rejected.)
  • ecdsa-sha2-nistp256 / nistp384 / nistp521 — accepted but discouraged.

Multiple keys per account. Multiple keys per server. Any key on the server's authorized list can log in.

Recommended ~/.ssh/config

~/.ssh/config
Host nokyc-*
    User root
    IdentityFile ~/.ssh/id_ed25519_nokyc
    IdentitiesOnly yes
    ControlMaster auto
    ControlPath ~/.ssh/cm-%r@%h:%p
    ControlPersist 10m
    ServerAliveInterval 60
    ServerAliveCountMax 3

Then for a server with IPv4 198.51.100.42:

Host nokyc-edge
    HostName 198.51.100.42

And ssh nokyc-edge just works.

Rescue-mode SSH

The rescue ISO injects the same set of SSH keys at boot. The rescue host fingerprint is different from your normal host fingerprint — this is expected and not a man-in-the-middle. The rescue fingerprint is shown on the console in the dashboard.

06 · Networking

Networking

IP addressing

  • IPv4 — one per server, included in the plan. Additional IPv4 is not currently sold (we are conservative with v4 allocation).
  • IPv6 — one routed /64 per server, free. Use whatever addresses inside that prefix you like; we don't filter source addresses within your block.
  • All addresses are static for the life of the server. Rebuilding the OS does not change them.

Reverse DNS

From Server → Network → Reverse DNS, or via POST /servers/{id}/rdns. We propagate within 5 minutes. There is no validation that you actually control the forward record — the rDNS is yours to set as you like.

Firewall

Two layers:

  1. Edge filter (optional, configurable per server). Stateful, drop-by-default with the rules you provide. Lives on the hypervisor and protects the guest from receiving the traffic at all. Use it for layer-4 rules you want enforced before the guest even sees the packet.
  2. Guest firewall (entirely yours). nftables, iptables, pf, whatever your OS ships. We don't touch it.

DDoS mitigation

Volumetric-attack mitigation is always-on, upstream of our PoPs. There is nothing to enable. The thresholds:

  • < 10 Gbps: absorbed silently.
  • 10–100 Gbps: scrubbed at the transit provider. You may see brief latency increases.
  • > 100 Gbps: announced via BGP to a dedicated scrubbing path. Latency increases more noticeably; service remains reachable.
  • The "nuclear option" of null-routing an IP is on the table only for sustained attacks that threaten the wider PoP. We tell you within minutes if it happens.
07 · Operating systems

Operating systems

The image catalogue is refreshed on every upstream point release. The image_id in the right column is what you pass to the API.

FamilyVersionsArchInitimage_id
Debian 11 (bullseye), 12 (bookworm), 13 (trixie) amd64, arm64 cloud-init debian-13-minimal
Ubuntu 20.04, 22.04, 24.04 LTS amd64, arm64 cloud-init ubuntu-24.04
Alpine 3.18, 3.19, 3.20 amd64, arm64 cloud-init (community) alpine-3.20
Arch rolling (weekly snapshot) amd64 cloud-init arch-rolling
Fedora 39, 40, 41 amd64 cloud-init fedora-41
Rocky 9 (RHEL-compat) amd64 cloud-init rocky-9
OpenBSD 7.4, 7.5 amd64 manual / autoinstall openbsd-7.5
FreeBSD 13.3, 14.0 amd64 cloud-init freebsd-14
NixOS 24.05 amd64 nixos-rebuild nixos-24.05
Custom any (ISO upload ≤ 4 GB) amd64, arm64 whatever your ISO does custom

cloud-init user-data

Any image marked "cloud-init" accepts a user-data blob at deploy time. Up to 64 KiB. Example for a Debian server that installs WireGuard and sets a hostname:

user-data.yaml
#cloud-config
hostname: edge-paris
manage_etc_hosts: true

package_update: true
packages:
  - wireguard
  - nftables
  - mosh

write_files:
  - path: /etc/wireguard/wg0.conf
    permissions: '0600'
    content: |
      [Interface]
      PrivateKey = REDACTED
      Address    = 10.10.0.1/24
      ListenPort = 51820

runcmd:
  - systemctl enable --now nftables wg-quick@wg0
  - sed -i 's/#PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
  - systemctl restart ssh

Custom ISOs

Upload via POST /images (or Account → Images → Upload). Maximum 4 GiB. The ISO must be bootable in BIOS or UEFI mode (we present both). Once uploaded, the image gets an id like custom-9f4a2b1c and is selectable in any deploy flow.

08 · API reference

API reference

REST over HTTPS. JSON in, JSON out. Cursor-pagination on list endpoints. Idempotency keys supported on every POST via the Idempotency-Key header.

Base URL
https://api.nokycvps.com/v1
Tor onion mirror
nokycvpsapixxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion/v1
TLS
TLS 1.3 minimum. Certificate pinned to our intermediate CA — published in DNS via TLSA records.
Schema
OpenAPI 3.1 spec at /v1/openapi.json

Authentication

Bearer token, header Authorization: Bearer <token>. Tokens are created at Account → API tokens with one of three scopes:

  • read — read-only access to all resources except billing.
  • write — read + create/update/destroy. Cannot generate new top-up addresses.
  • billing — everything write can do, plus billing endpoints.

A token is shown once at creation. We store only its SHA-256 digest server-side; if you lose a token, rotate it.

Endpoints

MethodPathDescription
GET /servers List your servers (paginated, cursor-based).
POST /servers Create a new server. Returns the resource immediately in provisioning state.
GET /servers/{id} Get a single server, including IPs once provisioned.
DELETE /servers/{id} Destroy a server. Irreversible. Returns 202 Accepted.
POST /servers/{id}/reboot Soft reboot (ACPI). Use ?hard=true for power-cycle.
POST /servers/{id}/rebuild Reinstall from an image. All disk data is destroyed.
POST /servers/{id}/rescue Boot into the rescue ISO (Alpine-based, 4 GB tmpfs).
POST /servers/{id}/rdns Set reverse DNS for the server's IPv4 and/or IPv6.
GET /servers/{id}/console Return a one-time signed URL for the noVNC console (valid 5 min).
GET /servers/{id}/metrics 30-day rollup of CPU, RAM, disk, and bandwidth.
GET /images List available OS images, including custom uploads.
POST /images Upload a custom ISO. multipart/form-data, 4 GB max.
GET /regions List regions and their current availability for new deployments.
GET /plans List VPS and dedicated plans with current pricing.
GET /billing/balance Account balance in USD-reference and supported coins.
GET /billing/ledger Transaction history (top-ups, daily charges, credits).
POST /billing/topup Generate a one-time deposit address for a given coin.
GET /ssh-keys List SSH keys associated with the account.
POST /ssh-keys Add an SSH key (parses OpenSSH format).
DELETE /ssh-keys/{id} Remove an SSH key.
GET /account/tokens List API tokens. Scopes: read, write, billing.
POST /account/tokens Create a new API token. Returned once, never shown again.

Examples

Create a server:

curlPOST /v1/servers
curl https://api.nokycvps.com/v1/servers \
  -H "Authorization: Bearer $NOKYC_TOKEN" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{
    "name":     "edge-paris",
    "plan":     "vps-s2",
    "region":   "par",
    "image":    "debian-13-minimal",
    "ssh_keys": ["k_5f3a8c91"],
    "user_data_b64": null
  }'

Response (HTTP 201 Created):

jsonresponse
{
  "id":         "srv_8a1f2c34",
  "name":       "edge-paris",
  "status":     "provisioning",
  "plan":       "vps-s2",
  "region":     "par",
  "image":      "debian-13-minimal",
  "ipv4":       null,
  "ipv6":       null,
  "created_at": "2026-05-12T08:47:12Z",
  "ssh_keys":   ["k_5f3a8c91"]
}

Reboot it:

curl -X POST https://api.nokycvps.com/v1/servers/srv_8a1f2c34/reboot \
  -H "Authorization: Bearer $NOKYC_TOKEN"
# 202 Accepted

Error codes

All errors return JSON in the shape {"error": {"code": "...", "message": "...", "errors": [...]}}.

HTTPCodeMeaning
400 invalid_request The request body or query parameters did not validate. See errors[] for per-field detail.
401 unauthenticated Missing or expired bearer token.
403 forbidden_scope Token does not have the required scope for this endpoint.
404 not_found Resource does not exist or is not visible to your account.
409 conflict_state Resource is in a state that does not allow this operation (e.g. rebuilding a server that is already rebuilding).
422 unprocessable Body parsed but semantic validation failed (e.g. unavailable region for a plan).
429 rate_limited Rate-limit window exceeded. Retry-After header included.
451 jurisdictional_block Endpoint refused for legal reasons. Public canary updated.
500 internal Server-side error. Retry idempotent operations only.
503 maintenance Endpoint temporarily unavailable during a scheduled maintenance window.

Rate limits

60 requests per minute per token, with a 10-request burst. The bucket replenishes at 1 req/s. The headers on every response:

X-RateLimit-Limit:     60
X-RateLimit-Remaining: 57
X-RateLimit-Reset:     1747049892

If you exceed the bucket, you'll receive HTTP 429 with a Retry-After header in seconds. Provisioning endpoints have a separate, more permissive bucket (200/min) because they are inherently bursty.

09 · Security & privacy

Security & privacy

Disk encryption

We do not encrypt your disks for you. You can opt into LUKS at install time via cloud-init (the rescue ISO will prompt you for the passphrase on every boot). The reasons we don't auto-encrypt:

  • Auto-encryption with a key we hold is theatre — if compelled, we can produce the key.
  • Auto-encryption with a key you hold breaks unattended reboot.
  • Both modes are available; we let you pick the trade-off.

Warrant canary

We publish a daily-signed canary at https://nokycvps.com/canary.txt with a detached PGP signature at canary.txt.sig. The canary includes:

  • A current-date timestamp.
  • The headline of a current event we couldn't have predicted in advance (proof of liveness).
  • A list of explicit statements about orders we have not received.

When one of those statements would become false, we let the canary stop updating instead. Treat extended silence (> 48 hours) as a signal.

Tor onion mirror

The site and the API are both mirrored as v3 onion services. The hostnames are published in our DNS as TXT records on nokycvps.com and rotated yearly. From a Tor-routed client:

dig +short TXT _onion.nokycvps.com
# "v3 nokycvps...........................................onion"
# "v3 nokycvpsapi........................................onion/v1"

What we log

Concisely:

DataRetentionWhy
Login events (timestamp, country at city granularity)30 daysBreach detection. Country only, derived from MaxMind GeoLite. No IP stored.
API request lines (method, path, status, no body)7 daysDebugging. Rotated at 7d; no archives.
Billing ledger13 monthsReconciliation. No PII attached.
Network probe data per server (uptime, latency)90 daysSLA computation and the public status page.
Guest VM traffic (NetFlow, packet captures)0We do not collect either.
10 · Tutorials

Tutorials

Written by people who actually run this stuff. Each one is a single, copy-pasteable walk-through — no fifty-tab marketing detours.

Networking · 8 min

WireGuard VPN on a $4 VPS

One-config-file WireGuard with peer-add automation. Hardened defaults. IPv6 ready.

 Privacy · 12 min

Hosting a Tor hidden service

v3 onion, locked-down Nginx, fail-closed firewall. Survives reboots and key rotations.

 Web · 6 min

Reverse proxy with Caddy + auto-TLS

One Caddyfile, automatic Let's Encrypt, HTTP/3, sane logs by default.

 Security · 15 min

Encrypted root volume with LUKS

Customer-held passphrase. Reboot-survival via rescue-ISO unlock or dropbear-initramfs.

 Security · 5 min

Hardening SSH and root login

Disable passwords, restrict ciphers, root via prohibit-password, fail2ban with sane defaults.

 Ops · 10 min

Backups to a remote object store

Restic, S3-compatible endpoint, hourly cron, encrypted client-side. No backup software-as-a-service.

 Mail · 25 min

Private mail relay with Postfix & DKIM

Outbound-only relay. SPF, DKIM, DMARC. Reverse DNS that doesn't shout "VPS".

 Containers · 7 min

Dockerizing a small Go app

Multi-stage build, distroless base, healthchecks, log shipping.
11 · Troubleshooting

Troubleshooting

My deploy has been "provisioning" for more than 5 minutes

Provisioning normally takes 30–90 seconds. Anything past 3 minutes is unusual. Check the status page for a region-specific incident. If status is green, the most common cause is a custom ISO that fails to boot — check the noVNC console. If nothing helps: destroy and redeploy. We don't bill you for failed provisioning.

I lost my SSH key

From the dashboard: Server → Recovery → Boot into rescue. SSH into rescue with any current key on your account. mount /dev/vda1 /mnt, edit /mnt/root/.ssh/authorized_keys, reboot. If you have no keys at all on the account, add one first via the dashboard, then rescue.

My IPv4 is reachable from one country but not another

Try a traceroute from both ends. If the route diverges before reaching our PoP, this is upstream of us — we can show you the public smokeping for your region's transit at status.nokycvps.com. If the route reaches us but stops, it's our problem and the status page should already reflect it.

My VPS rebooted on its own

Three possible causes, in order of likelihood: (1) OOM-kill of init — check journalctl -k -b -1 from the prior boot. (2) Scheduled maintenance — check the dashboard's Notifications. (3) Hypervisor incident — check the status page. If none of the three, open the noVNC console and look at the boot log.

I sent crypto to the top-up address and nothing has happened

Check the confirmations. Bitcoin needs 2, Monero needs 10, etc. (see the supported-coins table). If confirmed but no credit after 30 minutes, paste the transaction hash into Account → Billing → Recover deposit — the credit will be applied within a few minutes once we manually re-check.

I get 429 Too Many Requests on the API

You've hit the per-token bucket. Honour the Retry-After header. If you have a legitimate need for higher throughput, create a second token — rate limits are per-token, and most clients use a single token. (Don't rotate the same token in a loop; we'd treat that as one.)

The noVNC console shows a blank screen

Press a key. Many guests blank the framebuffer after inactivity. If a key produces no response, the guest is probably hung; reboot from the dashboard. The console captures a SysRq sequence on Linux too — useful for debugging an unresponsive kernel.

12 · FAQ

FAQ

Do you ask for identity documents?

No. We don't ask, we don't accept, and we wouldn't store them if you sent them. The whole architecture is designed so we don't have identity to hand over.

Why crypto only?

Card networks impose KYC by design — the merchant agreement requires it. Crypto doesn't. Adding fiat would mean adding a payment processor, and adding a payment processor would mean adding their compliance department to our trust boundary. We did not want that.

Can I have multiple accounts?

Yes. We don't fingerprint, we don't device-cookie across accounts, we don't care. Use as many email addresses as you like.

What happens if my crypto provider asks me for KYC?

That's between you and them. We do not communicate with crypto exchanges, and the only thing they see in their books is a withdrawal to an address. They cannot tell, from the address alone, that it was sent to us.

Do you offer refunds?

Credits to your account balance, yes. Refunds back to a wallet, no — crypto is irreversible and refunding would require us to know an address belongs to you, which is itself a KYC step.

What's the difference between VPS and dedicated?

VPS = KVM virtual machine on a shared hypervisor, live-migratable, redundant host. Dedicated = a whole physical server, sole tenant, no live-migration. VPS is the right answer for almost everyone.

Do you support Terraform / Pulumi / OpenTofu?

A Terraform provider is on the roadmap; in the meantime the REST API is stable enough that a small wrapper takes about a day to write. Drop us a pull request when you do.

Can I run a Tor relay or exit node?

Relay yes. Exit no — not because we object, but because the abuse handling around exit nodes does not fit our "no complaint mailbox" stance, and we'd rather be honest about it than let you set one up and surprise you with a destruction notice.

Do you have a Discord / Slack / support chat?

No. We don't operate a real-time support channel because we don't operate the kind of business where one would help (no tickets means no human queue at the back). The docs are the support channel; if something is missing, that is a bug we want to know about.

What if I get a complaint about my server?

We won't forward it. We don't run a complaint mailbox, and that is a deliberate architectural choice rather than an oversight. The only thing that will reach you from us is a notification that we have been served with a binding court order — and even then we will let you know before we act on it, where the order does not gag us.